DATA PROCESSING AGREEMENT
- This Data Processing Agreement (this “Agreement”) between Morgan & Morgan, P.A. (“Company”) and the business entity or person identified in the applicable Order Form (“Service Provider”). This Agreement will become effective on the earlier of the date Company first uses or accesses the Services or Service Provider accepts this Agreement or Order Form, which Order Form incorporates this Agreement by reference (the “Agreement Effective Date”). Company enters into this Agreement on its own behalf and on behalf of any Affiliate acting as a Controller in respect of Company Personal Data.
The parties hereby agree to the terms and conditions set out below.
- DEFINITIONS.
- “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Company or Service Provider respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
- “Company Personal Data” means Personal Data Processed by Service Provider in connection with the Order Form.
- “Data Protection Laws” means all applicable laws, rules, and regulations of any jurisdiction relating to the protection, privacy, security, integrity, confidentiality, storage, transfer, or other Processing of Personal Data, including, without limitation, United States Data Protection Laws.
- “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
- “Order Form” means any order form, order, statement of work, or other ordering document that references this Agreement and describes the Services.
- “Personal Data” means any information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws.
- “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
- “Processor” means the entity that Processes Personal Data on behalf of a Controller.
- “Sale” or “Sell” means the transfer, disclosure, dissemination, or other exchange of Personal Data for monetary or other valuable consideration.
- “Security Incident” means any actual or reasonably suspected unauthorized or unlawful destruction, loss, use, alteration, acquisition, disclosure of, or access to Company Personal Data or information systems owned, operated, or controlled by Service Provider that Process Company Personal Data.
- “Sensitive Information” means the subset of Personal Data that is defined by law as having sensitivity due to its nature, the context of its use or communication entailing a heightened expectation of privacy, the potential for misuse or fraud, or legally significant status. The definition of “sensitive categories of personal data,” “sensitive personal data,” “sensitive personal information,” or “sensitive data” under Data Protection Laws is incorporated into this definition, which shall include, but not be limited to: Personal Data that reveals racial or ethnic origin, religious belief, health diagnosis or status, sexual orientation, citizenship or immigration status, genetic or biometric data used to uniquely identify a natural person, protected health information, government identifiers (such as Social Security Numbers, Social Insurance Numbers, Tax Identification Numbers, or driver's license information), account numbers, credit or debit card numbers, passwords or answers to security questions, evaluations of consumer creditworthiness, the contents of a Data Subject’s mail, email, or text messages where the party collecting such message is not the intended recipient of the communication, information collected from a Data Subject known to be under the age of 16 (or the age of majority, if higher, in jurisdictions where such data is protected by law), or precise geolocation data.
- “Services” means the services provided to Company as described in the Order Form.
- “Subprocessor” means an entity or other natural or legal person appointed or engaged by Service Provider to Process Company Personal Data on behalf of Company under this Agreement.
- “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
- “United States Data Protection Laws” means: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”); (c) the Colorado Privacy Act and its implementing regulations (“CPA”); (d) the Utah Consumer Privacy Act (“UCPA”); (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); and (f) any other applicable law or regulation related to the protection of Company Personal Data in the United States that is already in force or that will come into force during the term of this Agreement.
- PROCESSING OF COMPANY PERSONAL DATA.
- Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Company Personal Data under this Agreement, Company is a Controller and Service Provider is a Processor. In some circumstances, the parties acknowledge that Company may be acting as a Processor to a third-party Controller in respect of Company Personal Data, in which case Service Provider will remain a Processor with respect to the Company in such event. Service Provider shall comply at all times with Data Protection Laws and will promptly notify Company in writing if Service Provider makes a determination that it can no longer meet its obligations under Data Protection Laws.
- Company Instructions. Service Provider shall only Process Company Personal Data in accordance with Company’s documented instructions unless otherwise required by applicable law, in which case Service Provider will inform Company of such Processing. Company hereby instructs Service Provider to Process Company Personal Data solely to provide the Services to Company pursuant to the Order Form. Service Provider shall not Sell any Company Personal Data. Service Provider will immediately notify Company if, in its opinion, an instruction of Company infringes upon Data Protection Laws.
- Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Company Personal Data, the types of Company Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Company Personal Data are as set forth in Appendix 1. The parties further acknowledge and agree that: (a) Company’s disclosure of Company Personal Data to Service Provider hereunder does not constitute a Sale; and (b) Company Personal Data disclosed by Company to Service Provider is provided to Service Provider only for the limited and specified purposes set forth in the Order Form and this Agreement.
- Processing Subject to the CCPA. As used in this Section 2.4, the terms “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA. Service Provider shall not: (a) Sell or Share any Company Personal Data; (b) retain, use, or disclose any Company Personal Data (i) for any purpose other than for the Business Purposes specified in the Order Form, including for any Commercial Purpose other than the Business Purposes specified in the Order Form, or (ii) outside of the direct business relationship between Company and Service Provider; or (c) combine Company Personal Data received from, or on behalf of, Company with Personal Data received from or on behalf of any third party, or collected from Service Provider’s own interaction with Data Subjects, except to perform any Business Purpose required by the Order Form. Service Provider will comply with all applicable obligations under the CCPA and provide the same level of privacy protection to Company Personal Data as is required by the CCPA. Company has the right to take reasonable and appropriate steps to help ensure that Service Provider uses Company Personal Data in a manner consistent with Company’s obligations under the CCPA. If Service Provider notifies Company of unauthorized use of Company Personal Data, including under the foregoing sentence, Company will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use. Service Provider hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them.
- Sensitive Information. Sensitive Information shall be Processed by the Service Provider only when the Data Subject has given explicit consent to the Processing of such Sensitive Information, provided applicable Data Protection Laws do not render such consent to the Processing of Sensitive Information invalid. Service Provider shall not, and shall not permit any other third party to, disclose or share any Sensitive Information to a third party without Customer’s instructions and the consent of the Data Subject.
- Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Company Personal Data under this Agreement, Company is a Controller and Service Provider is a Processor. In some circumstances, the parties acknowledge that Company may be acting as a Processor to a third-party Controller in respect of Company Personal Data, in which case Service Provider will remain a Processor with respect to the Company in such event. Service Provider shall comply at all times with Data Protection Laws and will promptly notify Company in writing if Service Provider makes a determination that it can no longer meet its obligations under Data Protection Laws.
- CONFIDENTIALITY. Service Provider shall: (a) limit access to Company Personal Data only to those entities and individuals who need access to the relevant Company Personal Data, as strictly necessary for the purposes of the Order Form, and to comply with Data Protection Laws in the context of that entity’s or individual’s duties to Company; (b) ensure that Service Provider personnel who Process Company Personal Data are subject to written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Company Personal Data; and (c) ensure the reliability for maintaining confidentiality of any entity or individual engaged or employed in the Processing of Company Personal Data on behalf of Service Provider. Company Personal Data shall be considered Company’s Confidential Information.
- SECURITY.
- Security Measures. Service Provider shall implement and maintain appropriate technical, physical, and organizational measures to ensure the confidentiality, integrity, and availability of Company Personal Data in Service Provider’s care, custody, or control, and to prevent Security Incidents (the “Security Measures”). Such Security Measures shall: (a) be at least as protective as the measures Service Provider applies to its own similar information; (b) comply with Data Protection Laws; and (c) without limiting the generality of the foregoing, include the security controls set forth in Appendix 2.
- Notification of Security Incident. Service Provider shall notify Company of any Security Incident without undue delay and in no event later than 24 hours after becoming aware of such Security Incident. Such notification shall include, to the extent possible (a) a description of the Security Incident, including the suspected cause, the nature of the information affected, the number and categories of Data Subjects, the impact, and the likely consequences thereof; (b) the expected resolution time (if it has not already been resolved); (c) corrective measures to be taken, evaluation of alternatives, and next steps; and (d) the name and phone number of the Service Provider representative that Company may contact to obtain further information and updates. Service Provider agrees to keep Company informed of progress and actions taken to address the Security Incident and prevent future such Security Incidents.
- Security Incident Response. After becoming aware of a Security Incident, Service Provider shall, at Service Provider’s sole expense: (a) promptly take steps to diligently investigate the Security Incident; (b) identify the cause of such Security Incident, minimize harm, and prevent a recurrence; (c) fully cooperate with Company in investigating the Security Incident; and (d) provide Company with all information, logs, or images reasonably requested by Company in connection with the Security Incident, including, but not limited to, all information to allow Company and each Company Affiliate to meet any obligations to report or inform of the Security Incident under Data Protection Laws and assess the risk to Company or Company Personal Data. Unless required by applicable law, Service Provider shall not notify any third party of any Security Incident without Company’s prior written consent.
- Remediation. Without limitation of Company’s other rights or remedies under this Agreement, following a Security Incident, Service Provider shall indemnify Company and be responsible for the following to the extent arising from the Security Incident: (a) the cost of providing notice of the Security Incident in a manner and format determined by Company, in its sole discretion, to individuals and other third parties that Company reasonably determines should be notified of the Security Incident, such as regulators, law enforcement agencies and consumer reporting agencies; (b) the cost of providing affected individuals with credit monitoring and protection services for 12 months (or longer, if required by applicable data breach notification laws); (c) the cost of any other legally-required or industry standard measures; (d) Company’s attorneys’ and consultants’ fees directly attributable to the Security Incident; and (e) any fines, costs, assessments, or penalties directly attributable to the Security Incident.
- Requests for Company Personal Data. Service Provider shall immediately notify Company in the event of any request, inquiry, or demand (including any subpoena, court order, or other legal request) relating to Company Personal Data and direct the requesting party to submit their request, inquiry, or demand directly to Company. Service Provider shall challenge any such request, inquiry, or demand on any appropriate grounds. If compelled to disclose Company Personal Data to a law enforcement agency or regulator, Service Provider shall provide reasonable assistance and cooperation to Company in order for Company to seek a protective order or other appropriate remedy prior to any such disclosure.
- Security Measures. Service Provider shall implement and maintain appropriate technical, physical, and organizational measures to ensure the confidentiality, integrity, and availability of Company Personal Data in Service Provider’s care, custody, or control, and to prevent Security Incidents (the “Security Measures”). Such Security Measures shall: (a) be at least as protective as the measures Service Provider applies to its own similar information; (b) comply with Data Protection Laws; and (c) without limiting the generality of the foregoing, include the security controls set forth in Appendix 2.
- SUBPROCESSING. Company generally authorizes Service Provider to engage Subprocessors that are necessary for the Processing of Company Personal Data. A list of Service Provider’s Subprocessors, including their functions and locations, is available upon Company’s request and may be updated by Service Provider from time to time in accordance with this Section 5. Service Provider shall notify Company in writing of the addition or replacement of any Subprocessor at least thirty (30) days prior to the proposed engagement. Company may object to the proposed Subprocessor by providing Service Provider written notice of such objection. Upon receiving such an objection, Service Provider shall: (a) work with Company in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Company in its objection. If Service Provider informs Company that such change or corrective steps cannot be made, Company may immediately terminate all or a portion of the Order Form for convenience and receive a refund of any prepaid fees. Prior to engaging any Subprocessor, Service Provider shall enter into a written contract with such Subprocessor containing data protection obligations at least equivalent in substance to those in this Agreement. Service Provider shall be liable for all acts and omissions of the Subprocessor as if they were Service Provider’s acts and omissions.
- DATA SUBJECT RIGHTS. Service Provider shall assist Company, including by implementing appropriate technical and organizational measures, with the fulfillment of Company’s obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. If Service Provider receives any request, inquiry, or complaint from a Data Subject with respect to Company Personal Data, Service Provider shall notify Company within 72 hours and provide Company with full details of the request. Service Provider shall not respond to that request except on the documented instructions of Company.
- ASSESSMENTS AND PRIOR CONSULTATIONS. Service Provider shall provide reasonable assistance and cooperation to Company for Company to conduct any data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority under Data Protection Laws in connection with Service Provider’s Processing of Company Personal Data.
- RELEVANT RECORDS AND AUDIT RIGHTS. Upon Company’s request, Service Provider shall promptly make available to Company all information in Service Provider’s possession reasonably necessary to demonstrate Service Provider’s compliance with Data Protection Laws and Service Provider’s obligations set out in this Agreement. Service Provider shall allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by Company or an auditor mandated by Company (“Mandated Auditor”), including of any premises where the Processing of Company Personal Data takes place, in order to assess compliance with this Agreement and Data Protection Laws.
- DATA TRANSFERS. During the term of the Agreement, Company Personal Data shall at all times be hosted on servers that are physically located in the United States, unless otherwise agreed in writing by the parties. Service Provider shall comply, and provide Company with commercially reasonable assistance to comply, with all applicable data privacy, security, and cross-border transfer laws, regulations, and guidelines in the country to which and from which Company Personal Data will be transferred. Service Provider shall legitimize any cross-border exchange of Company Personal Data through data transfers mechanisms approved under Data Protection Laws, such as United Kingdom- or Europe Union-approved standard contractual clauses or binding corporate rules with respect to transfers of Personal Data out of the United Kingdom or Europe Union.
- DELETION OR RETURN OF COMPANY PERSONAL DATA. Following termination or expiration of the Order Form, Service Provider shall, at Company's option, delete or return Company Personal Data and all copies to Company, except to the extent retention thereof is required by applicable law. If Service Provider retains Company Personal Data pursuant to applicable law, then: (a) Service Provider shall notify Company of such retention requirement; (b) Company Personal Data may only be retained only to the extent and for such period as required by applicable law; and (c) Service Provider shall ensure the confidentiality of all retained Company Personal Data and that such Company Personal Data is only Processed as necessary for the purpose specified in the applicable laws requiring its storage and for no other purpose.
- INDEMNIFICATION. Service Provider shall indemnify and hold harmless Company and Company’s Affiliates, employees, and agents from and against any and all liabilities, losses, damages, costs, and other expenses (including attorneys’ and expert witnesses’ costs and other legal fees) arising from or relating to Service Provider’s breach of this Agreement. In the event of any third-party claim, demand, suit, or action (a “Claim”) for which Company (or any of Company’ Affiliates, employees, or agents) is or may be entitled to indemnification under this Agreement, Company may, at Company’s option, require Service Provider to defend such Claim at Service Provider’s sole expense. Service Provider shall not settle any such Claim without Company’s express prior written consent.
- INSURANCE. For so long as Service Provider is Processing Company Personal Data, Service Provider shall purchase from and maintain with a company with a rating of “A-” or better insurance in the following amounts and coverages: cyber liability insurance with limits of $5,000,000 for each claim and in the aggregate. The cyber liability insurance shall include the following: Security and Privacy Liability, PCI – DSS penalties, Regulatory Defense and Penalties, Media Liability, Notification Expenses, Network Interruption, Cyber Extortion Expenses, Wire Fraud, Reputational Defense, unauthorized access or use of a computer network, systems, data, or software, a denial of service attack, and the transmission of malicious code from Service Provider’s computer system to a computer system of Company. Such insurance policies shall: (a) name Company as an additionally insured; (b) be primary and noncontributing with any other insurance held by Company; and (c) indicate that the coverage afforded Company shall not be invalidated by any act or omission of any insured. Company will be notified in accordance with policy provisions if policies are cancelled.
- GENERAL TERMS. This Agreement will, notwithstanding the expiration or termination of the Order Form, enter into force as of the Agreement Effective Date and remain in effect until Service Provider’s deletion or return of all Company Personal Data. Service Provider may not assign or transfer, by operation of law or otherwise, any of its rights or obligations under this Agreement (including the rights to access the Company Personal Data) to any third party without Company’s prior written consent. All waivers must be in writing. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. To the extent of any conflict or inconsistency between this Agreement and the other terms of the Order Form, this Agreement will govern. Unless otherwise expressly stated herein, the parties will provide notices under this Agreement to the contact details listed in the Order Form, provided that all such notices may be sent via email. This Agreement will be governed by and construed in accordance with the governing law and jurisdiction of the State of Florida, unless required otherwise by Data Protection Laws. This Agreement (including all exhibits and attachments) constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior or contemporaneous agreements and communications, whether written or oral regarding such subject matter. This Agreement may be amended only by a written document signed by both parties.
This Agreement was last updated on August 11, 2023.
APPENDIX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
- Subject matter and duration of the Processing of Company Personal Data
The subject matter and duration of the Processing are as described in the Order Form and the Agreement.
- Nature and purpose of the Processing of Company Personal Data
The nature and purpose of the Processing are those activities reasonably required to facilitate or support the provision of the Services as described in the Order Form and the Agreement.
- The categories of Data Subjects to whom Company Personal Data relates
The categories of Data Subjects shall be as is contemplated or related to the Processing described in the Order Form.
- The categories of Company Personal Data
The categories of Company Personal Data Processed are those categories contemplated in and permitted by the Order Form.
- The sensitive data included in Company Personal Data
The parties anticipate that Service provider shall process Sensitive Information, which may include Social Security Numbers, medical information, and health diagnosis or status.
Any Sensitive Information contained in the Company Personal Data shall secured in accordance with the safeguards described in Appendix 2 and any additional safeguards required by Data Protection Laws applicable to such Sensitive Information.
- The frequency of Company’s transfer of Company Personal Data to Service Provider:
On a continuous basis for the term of the Order Form.
- The period for which Company Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
As set forth in the Order Form or the Agreement.
- For transfers to Subprocessors, the subject matter, nature and duration of the Processing of Company Personal Data:
As set forth in the Order Form or the Agreement.
APPENDIX 2: SECURITY MEASURES
- Comprehensive Written Information Security Program.
- Implement, maintain, and comply with written information security policies and procedures to protect the security, confidentiality, availability, integrity, and resiliency of Personal Data and any systems, networks, devices, or applications that store or otherwise Process Personal Data, which are: (i) aligned with an industry-standard control framework (e.g., NIST SP 800-53, ISO 27001, SOC 2 Type 2, CIS Critical Security Controls); (ii) approved by executive management; (iii) reviewed and updated at least annually; and (iv) communicated to all personnel with access to Personal Data.
- Implement, maintain, document, and comply with administrative, technical and physical safeguards, including policies, procedures, guidelines, practices, standards, and controls that ensure: (i) the security, confidentiality, integrity, availability, and resiliency of Personal Data; (ii) protect against any foreseeable threats or hazards to Personal Data; (iii) protect against any Security Incident; and (iv) ensure that Service Provider’s personnel are appropriately trained to maintain the security, confidentiality, integrity, availability, and resiliency of Personal Data, consistent with the terms of the Order Form, the Agreement, and Data Protection Laws.
- Assign to an individual or a group of individuals the responsibility for developing, implementing, and managing the organization’s written information security program.
- Regularly test, monitor, evaluate, and update the sufficiency and effectiveness of the information security program, including Security Incident response procedures.
- Implement, maintain, and comply with written information security policies and procedures to protect the security, confidentiality, availability, integrity, and resiliency of Personal Data and any systems, networks, devices, or applications that store or otherwise Process Personal Data, which are: (i) aligned with an industry-standard control framework (e.g., NIST SP 800-53, ISO 27001, SOC 2 Type 2, CIS Critical Security Controls); (ii) approved by executive management; (iii) reviewed and updated at least annually; and (iv) communicated to all personnel with access to Personal Data.
- Risk Assessment.
- Conduct and document information security risk assessments at least annually and whenever there is a material change in the organization’s business or technology practices that may impact the security, confidentiality, integrity, availability, and resiliency of Personal Data or systems used to Process Personal Data. The risk assessment will include: (i) identifying and assessing reasonably foreseeable internal and external threats and risks to the security, confidentiality, integrity, availability, and resiliency of Personal Data; (ii) assessing the adequacy of personnel training concerning, and compliance with, the information security program; (iii) assessing the adequacy of service provider arrangements; (iv) adjusting and updating the information systems and information security program to limit and mitigate identified threats and risks, and to address material changes in relevant technology, business practices, Personal Data practices and sensitivity of Personal Data Processed; and (v) assessing whether the information security program is operating in a manner reasonably calculated to prevent and mitigate Security Incidents.
- Risk assessments shall be conducted by independent third parties or internal personnel independent of those who develop or maintain the organization’s information systems or information security program and results are reported to senior management.
- Report results of risk assessments and information concerning the condition of Service Provider’s information security and compliance to internal senior management.
- Conduct and document information security risk assessments at least annually and whenever there is a material change in the organization’s business or technology practices that may impact the security, confidentiality, integrity, availability, and resiliency of Personal Data or systems used to Process Personal Data. The risk assessment will include: (i) identifying and assessing reasonably foreseeable internal and external threats and risks to the security, confidentiality, integrity, availability, and resiliency of Personal Data; (ii) assessing the adequacy of personnel training concerning, and compliance with, the information security program; (iii) assessing the adequacy of service provider arrangements; (iv) adjusting and updating the information systems and information security program to limit and mitigate identified threats and risks, and to address material changes in relevant technology, business practices, Personal Data practices and sensitivity of Personal Data Processed; and (v) assessing whether the information security program is operating in a manner reasonably calculated to prevent and mitigate Security Incidents.
- Data Collection, Retention and Disposal. Collect only as much Personal Data as needed to accomplish the purpose for which the information is collected. Securely dispose of records containing Personal Data so that the information cannot be read or reconstructed after it is no longer needed to comply with business purposes or legal obligations. Maintain technical and organizational measures to permit the exercise of Data Subject rights in accordance with Data Protection Laws and the Order Form, including without limitation rights of data portability and erasure.
- Personnel Background Checks and Training. Conduct reasonable background checks (including criminal background checks) of any personnel or third parties who will have access to Personal Data or relevant information systems, and repeat the checks at appropriate and adequate intervals. Prohibit individuals convicted of a crime of dishonesty, breach of trust or money laundering from having access to Personal Data. Train personnel to maintain the security, confidentiality, integrity, availability, and resiliency of Personal Data, consistent with the terms of the Order Form, the Agreement, and Data Protection Laws.
- Vendor Management and Oversight. Conduct appropriate due diligence and monitoring to ensure Subprocessors are capable of: (a) maintaining the security, confidentiality, integrity, availability, and resiliency of Personal Data, (b) complying with Data Protection Laws, and (c) assisting Company with complying with requests from data subjects, including without limitation requests for data portability or erasure. Contractually require subcontractors to maintain adequate safeguards for Personal Data that are the same as the safeguards that Company must implement pursuant to its contractual and legal obligations. Regularly assess and monitor Subprocessors to confirm their compliance with applicable privacy and information security requirements and Data Protection Laws.
- Access Controls. Identify personnel, classes of personnel and third parties whose documented business functions and responsibilities require access to Personal Data, relevant information systems, and Service Provider’s premises. Permit access to Personal Data, relevant information systems, and Service Provider’s premises only to such authorized personnel and third parties. Maintain a current record of personnel and third parties who are authorized to access Personal Data, relevant information systems, and Service Provider’s premises, and the purposes of such access. Maintain logical and physical access controls, secure user authentication protocols, secure access control methods, and firewall protection.
- Secure User Authentication. Maintain secure control over user IDs, passwords and other authentication identifiers. Maintain password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that passwords controlling access to Personal Data must: (a) be at least eight (8) characters in length and meet minimum complexity requirements; (b) not be stored in readable format on the organization’s computer systems; (c) have a history threshold to prevent reuse of recent passwords; (d) changed following risk of exposure; and (e) if newly issued, be changed after first use. Restrict access to Personal Data and relevant information systems to only active users and accounts. Block user access after multiple unsuccessful attempts to login or otherwise gain access to Personal Data or relevant information systems. Terminate user access after a predetermined period of inactivity. Promptly revoke or change access in response to personnel termination or changes in job functions.
- Incident Detection and Response. Maintain policies and procedures to detect, monitor, document, and respond to actual or reasonably suspected Security Incidents, and encourage the reporting of such incidents, including through: (a) training personnel with access to Personal Data to recognize actual or potential Security Incidents and to escalate and notify senior management of such incidents; (b) mandatory post-Security Incident review of events and actions taken concerning the security of Personal Data; and (c) policies governing the reporting of Security Incidents to regulators and law enforcement agencies.
- Pseudonymization and Encryption. Implement and maintain technical and organizational measures to pseudonymize Personal Data in accordance with Data Protection Laws, such as attribute suppression, character masking, noise addition, differential privacy, swapping, k-anonymity, and L-diversity/T-closeness. Apply industry standard encryption to Personal Data: (a) stored on any medium (i.e., laptops, mobile devices, portable storage devices, file servers and application databases), where technically feasible; and (b) in transit (using TLS 1.2 or greater) across any public network (such as the Internet), wirelessly, in email attachments, or outside of Service Provider’s information systems.
- Network Security. Implement network security controls such as up-to-date firewalls, layered DMZs, updated intrusion detection/prevention systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack. Such controls shall include firewalls between information systems, the Internet (including internal networks connected to the Internet) and other public networks, and internal networks that are not necessary for processing Personal Data. The firewalls must be reasonably designed to maintain the security of Personal Data and relevant information systems.
- Data Segregation. Physically or logically segregate Company’s data and information, including without limitation Company Personal Data, to ensure it is not comingled with another party’s data unless approved in writing by Company.
- Malicious Code Detection. Implement and maintain software that detects, prevents, removes, and remedies malicious code designed to perform an unauthorized function on, or permit unauthorized access to, any information system, including computer viruses, Trojan horses, worms, and time or logic bombs. Run malicious code detection software at least daily. Update malicious code detection software at least daily, including by obtaining and implementing the most current available virus signatures.
- Vulnerability and Patch Management. Maintain vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies to identify, assess, mitigate, and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code.
- Change Controls. Prior to implementing changes to the organization’s information systems, follow a documented change management process to assess the potential impact of such changes on security, confidentiality, integrity, availability, and resiliency of Personal Data, and determine whether such changes are consistent with the organization’s information security program. No changes should be made to information systems or the information security program that increase the risk of a Security Incident or fail to comply with Service Provider’s contractual or other legal obligations.
- Off-Premise Information Security. Maintain policies governing the security of the storage, access, transportation and destruction of records or media containing Personal Data outside of business premises. Monitor and document movement of records or media containing Personal Data. Create copies of Personal Data before movement of records or media containing the information.
- Physical Security. Maintain reasonable restrictions on physical access to Personal Data and relevant information systems (i.e., clean desk policy). Ensure physical and environmental security of data center, server room facilities and other areas containing Personal Data to: (a) protect information assets from unauthorized physical access; (b) manage, monitor, and log movement of persons into and out of facilities; and (c) guard against environmental hazards such as heat, fire, and water damage. Lock workstations with access to Personal Data when unattended. Document repairs and modifications to information security-related physical components of Service Provider’s information systems.
- Business Continuity and Disaster Recovery. Maintain policies and procedures for responding to an emergency or other occurrence that can compromise the security, confidentiality, integrity, availability, and resiliency of Personal Data or damage information systems; such policies and procedures should provide for: (a) creating and maintaining retrievable copies of Personal Data; (b) restoring any loss of Personal Data; (c) enabling continuation of critical business processes involving Personal Data in emergency mode; and (d) periodic testing and updates of contingency plans.